Chromecast exploit found and exposed to gain remote root access

It’s a Google Device so obviously the first thing that enthusiasts are looking for is ways to play with it. The team at GTVHacker has just announced the first exploit for the newest Google hardware release a little over three days after it went on-sale.

Normally the GTVHacker team work with GoogleTV and it’s this experience that has led them to be able to develop this specific exploit. When announced at the Breakfast with Sundar event, the Chromecast was said to be running a ‘simplified version of ChromeOS’, the GTVHacker team disagree with this description slightly, advising it’s more ‘a modified Google TV release’ but all the ‘bootloader, kernel, init scripts, binaries, are all from the Google TV’.

With their prior knowledge in hand, they have built an exploit allows developers to gain a root shell to the device using port 23 via telnet; but as they state in their blog post outlining the exploit, Google could push an update to the device at any time to close the hole.

The exploit is gained by booting an unsigned kernel to the device from a USB key using a powered USB-OTG cable and was made possible by Google releasing the bootloader code under GPL which allowed them to determine exactly how to get the key to load the kernel. The team describe the process involved in getting the exploit loaded :

By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.

The full package which is available to download on the GTVHacker Wiki Page as well as full instructions on how to do it. As far as this goes, it’s more of interest to developers so they can have a look at what is inside the package, so if you’re interested in developing for Chromecast, it’s definitely worth a look.

Daniel Tyson Ausdroid's Editor in Chief

Dan is a die-hard Android fan. Some might even call him a lunatic. He's been an Android user since Android was a thing, and if there's a phone that's run Android, chances are he owns it (his Nexus collection is second-to-none) or has used it.

Dan's dedication to Ausdroid is without question, and he has represented us at some of the biggest international events in our industry including Google I/O, Mobile World Congress, CES and IFA.